Seamless Campaign Uses RIG EK to Drop Ramnit Trojan

Below is a partial and edited flowchart of the malvertising chain that I got during this infection:

An edited image of the infection chain is shown below:

You can see that the Ramnit sample seems to check for Internet connectivity before making DNS queries for ujndhe7382uryhf.com, which resolves to 46.173.214.170. Following the DNS resolutions is the C2 traffic via TCP port 443.

Dynamic analysis of the sample shows file system changes that are to be expected from Ramnit:

The Ramnit payload is dropped and detonated in %Temp%Numerous .log files are createdThe malware copies itself to %LocalAppData% in the folder \mykemfpiMalware is set to run at startup.log file is created in %ProgramData% and contains 64 characters

We also see modifications to the registry that are used for persistence on the system: